No, that option does tell syscheckd to ignore that entire folder and subcontents. If you have windows, I believe its different.
See http://www.ossec.net/main/manual/manual-syscheck#examples On Jan 24, 11:03 am, Julien Vehent <[email protected]> wrote: > On Mon 23.Jan'12 at 11:46:17 -0800, BP9906 wrote: > > > Your ignore syntax for ossec.conf might be a bit off. > > > Try this: > > > <ignore type="sregex">^/etc/something</ignore> > > > That will ignore anything that starts with /etc/something. Then > > restart the agent of course to take effect. > > That will ignore the alerts, but not prevent syscheckd from browsing > that directory, which is the issue. > > The ignore rule works fine: content of that directory does not generate > alerts. But my problem is with syscheckd scanning a 12TB NFS share. > > - Julien
